Re: [jboss-as7-dev] Security Domain Config: JASPI vs Classic?
On 10/4/11 10:57 AM, Darran Lofthouse wrote:
On 10/04/2011 03:44 PM, Bill Burke wrote:
>
> Then, your web.xml could look like this:
>
> <login-config>
> <auth-method>JBOSS</auth-method>
> <realm-name>jmx-console</realm-name>
> </login-config>
>
> And you don't have to do any real configuration from an application
> perspective if there are already built in security domains that support
> what you want to do.
>
I have a similar issue to some of your concerns to solve for JBoss
Remoting and inserting the 'Authenticator' during deployment has been
suggested - if we pick out the<realm-name> specified here an
authenticator based on the capabilities of the realm can be inserted
although you may still want app specific config when deciding between
say BASIC and FORM auth.
So, it could also be:
<login-config>
<auth-method>Basic</auth-method>
<realm-name>jmx-console</realm-name>
</login-config>
Then, we write a AuthModule that looks at the HttpServletRequest's
authtype, and decides what to delegate to.
So, maybe instead of a JBOSS auth-method, it could be a DEFAULT
auth-method. That way a security domain can provide a default mechanism
for web security, and allow the user to override this default within
web.xml.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com